Dropper.DP.A Trojan?

As I've mentioned, I have AVG free edition 6.0 on my machines at home. While
I've been playing with them in the last day or so I checked the test results
on the machine that houses my modem and shares it on my LAN. Running XP Pro
with the built-in firewall enabled and using ICS. No email programs run on
this machine.

The machine is set to scan every day and I've never seen it detect a virus.
However, in the test results it tells me that I have the Dropper.DP.A
'virus' in
D:\RECYCLER\S-1-5-21-1220945662-1935655697-1343024091-1003\DD1\NET.ZIP.\NETL
IGHT.EXE and it's status is 'Still infected'.

The D: drive on this machine is a 10GB drive that contains my mp3 collection
and the incoming folder for Kazaa (mapped and run from another machine). I
have 'emptied' the recycle bin, even though it was empty. Then I re-scanned
with AVG, using the latest definition, and it's still there, no change.

I've done a web-search for Dropper.DP.A and found no results. I checked
Grisoft's site and there are various 'Droppers' listed (but not this one?)
and it seems that they are all trojans that can over-write or write to the
boot sector of drives.

I went to Symantec's site and they don't have this variant listed either.
While I was there I did a remote virus scan using their tools and it came up
clean. However, another local scan with AVG still shows it as being on the
machine.

I tried to delete the 'Recycler' folder but Windows won't allow it as it's a
system file.

I've scaned all my other machines on the LAN and they come up clean, using
AVG and the same definition file.

What do I do next? I've thought about copying all the data off this drive
across the LAN to my machine and re-formatting the drive concerned. Is this
the best option?

Thoughts please? As you can imagine, I'm a little concerned. I'm not sure
how I got it, all I can think of is that it came through Kazaa.

Advertisements

Two, you can manualy rename / delete the file, you will have to look at
google with the procedure about what files / folders that you unhide and how
to turn file locking / protection etc off. Just be carefully.

Three, Stick the HDD in another system with an OS that can access NTFS (if
you are using it) and scan / delete / repair from that system (This is what
I usually do)

"~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in message
news:Giy5b.136844$...
> As I've mentioned, I have AVG free edition 6.0 on my machines at home.
While
> I've been playing with them in the last day or so I checked the test
results
> on the machine that houses my modem and shares it on my LAN. Running XP
Pro
> with the built-in firewall enabled and using ICS. No email programs run on
> this machine.
>
> The machine is set to scan every day and I've never seen it detect a
virus.
> However, in the test results it tells me that I have the Dropper.DP.A
> 'virus' in
>
D:\RECYCLER\S-1-5-21-1220945662-1935655697-1343024091-1003\DD1\NET.ZIP.\NETL
> IGHT.EXE and it's status is 'Still infected'.
>
> The D: drive on this machine is a 10GB drive that contains my mp3
collection
> and the incoming folder for Kazaa (mapped and run from another machine). I
> have 'emptied' the recycle bin, even though it was empty. Then I
re-scanned
> with AVG, using the latest definition, and it's still there, no change.
>
> I've done a web-search for Dropper.DP.A and found no results. I checked
> Grisoft's site and there are various 'Droppers' listed (but not this one?)
> and it seems that they are all trojans that can over-write or write to the
> boot sector of drives.
>
> I went to Symantec's site and they don't have this variant listed either.
> While I was there I did a remote virus scan using their tools and it came
up
> clean. However, another local scan with AVG still shows it as being on the
> machine.
>
> I tried to delete the 'Recycler' folder but Windows won't allow it as it's
a
> system file.
>
> I've scaned all my other machines on the LAN and they come up clean, using
> AVG and the same definition file.
>
> What do I do next? I've thought about copying all the data off this drive
> across the LAN to my machine and re-formatting the drive concerned. Is
this
> the best option?
>
> Thoughts please? As you can imagine, I'm a little concerned. I'm not sure
> how I got it, all I can think of is that it came through Kazaa.
>
> Thanks,
> --
> ~misfit~
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 1/09/2003
>
>

Advertisements

"The Flash" <> wrote in message
news:bqz5b.136893$...
> Three options here, one just ignore it.
>
> Two, you can manualy rename / delete the file, you will have to look at
> google with the procedure about what files / folders that you unhide and
how
> to turn file locking / protection etc off. Just be carefully.
>
> Three, Stick the HDD in another system with an OS that can access NTFS (if
> you are using it) and scan / delete / repair from that system (This is
what
> I usually do)
>
> For a good online scanner try this : http://housecall.trendmicro.com/

Trying the trendmicro thing now. As it's not my boot drive and it's on an XP
system can I just run those commands on the system it's in?

If so what will they do and how do I run them? Will they destroy the data at
all? (other than the trojan).

Thanks for the advise. I'm not comfortable ignoring it.

'Two,' sounds a little complicated and I'll keep it as a last resort for
now. I'm unable to delete or rename the file as windows keeps insisting it's
in use.

"~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in message
news:Giy5b.136844$...
> As I've mentioned, I have AVG free edition 6.0 on my machines at home.
While
> I've been playing with them in the last day or so I checked the test
results
> on the machine that houses my modem and shares it on my LAN. Running XP
Pro
> with the built-in firewall enabled and using ICS. No email programs run on
> this machine.
>
> The machine is set to scan every day and I've never seen it detect a
virus.
> However, in the test results it tells me that I have the Dropper.DP.A
> 'virus' in
>
D:\RECYCLER\S-1-5-21-1220945662-1935655697-1343024091-1003\DD1\NET.ZIP.\NETL
> IGHT.EXE and it's status is 'Still infected'.
>
> The D: drive on this machine is a 10GB drive that contains my mp3
collection
> and the incoming folder for Kazaa (mapped and run from another machine). I
> have 'emptied' the recycle bin, even though it was empty. Then I
re-scanned
> with AVG, using the latest definition, and it's still there, no change.
>
> I've done a web-search for Dropper.DP.A and found no results. I checked
> Grisoft's site and there are various 'Droppers' listed (but not this one?)
> and it seems that they are all trojans that can over-write or write to the
> boot sector of drives.
>
> I went to Symantec's site and they don't have this variant listed either.
> While I was there I did a remote virus scan using their tools and it came
up
> clean. However, another local scan with AVG still shows it as being on the
> machine.
>
> I tried to delete the 'Recycler' folder but Windows won't allow it as it's
a
> system file.
>
> I've scaned all my other machines on the LAN and they come up clean, using
> AVG and the same definition file.
>
> What do I do next? I've thought about copying all the data off this drive
> across the LAN to my machine and re-formatting the drive concerned. Is
this
> the best option?
>
> Thoughts please? As you can imagine, I'm a little concerned. I'm not sure
> how I got it, all I can think of is that it came through Kazaa.
>
> Thanks,
> --
> ~misfit~
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.515 / Virus Database: 313 - Release Date: 1/09/2003
>
>

> "~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in message
> news:Giy5b.136844$...
> > As I've mentioned, I have AVG free edition 6.0 on my machines at home.
> While
> > I've been playing with them in the last day or so I checked the test
> results
> > on the machine that houses my modem and shares it on my LAN. Running XP
> Pro
> > with the built-in firewall enabled and using ICS. No email programs run
on
> > this machine.
> >
> > The machine is set to scan every day and I've never seen it detect a
> virus.
> > However, in the test results it tells me that I have the Dropper.DP.A
> > 'virus' in
> >
>
D:\RECYCLER\S-1-5-21-1220945662-1935655697-1343024091-1003\DD1\NET.ZIP.\NETL
> > IGHT.EXE and it's status is 'Still infected'.
> >
> > The D: drive on this machine is a 10GB drive that contains my mp3
> collection
> > and the incoming folder for Kazaa (mapped and run from another machine).
I
> > have 'emptied' the recycle bin, even though it was empty. Then I
> re-scanned
> > with AVG, using the latest definition, and it's still there, no change.
> >
> > I've done a web-search for Dropper.DP.A and found no results. I checked
> > Grisoft's site and there are various 'Droppers' listed (but not this
one?)
> > and it seems that they are all trojans that can over-write or write to
the
> > boot sector of drives.
> >
> > I went to Symantec's site and they don't have this variant listed
either.
> > While I was there I did a remote virus scan using their tools and it
came
> up
> > clean. However, another local scan with AVG still shows it as being on
the
> > machine.
> >
> > I tried to delete the 'Recycler' folder but Windows won't allow it as
it's
> a
> > system file.
> >
> > I've scaned all my other machines on the LAN and they come up clean,
using
> > AVG and the same definition file.
> >
> > What do I do next? I've thought about copying all the data off this
drive
> > across the LAN to my machine and re-formatting the drive concerned. Is
> this
> > the best option?
> >
> > Thoughts please? As you can imagine, I'm a little concerned. I'm not
sure
> > how I got it, all I can think of is that it came through Kazaa.
> >
> > Thanks,
> > --
> > ~misfit~
> >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.515 / Virus Database: 313 - Release Date: 1/09/2003
> >
> >
>
>

I think XP safemode still locks these files. You might need a DOS (Win9x)
boot disk (you did say it was a fat32 drive?) and a copy of deltree.exe
(from %win%\command\ as it's not on the EBD by default)

I was going to suggest the same thing, except from shell (boot - F8 -
shell only)

One beauty of having a dual boot system: if one of my os' goes down or
does something stupid I can usually boot into the other and fix it from
the outside

BTW did you mistype the path to that file? d:\recycler\etc ??? looks
fishy to me as it is.
Also that huge alphanumerical directory after looks fishy in that place.
i.i.r.c. XP uses those for system restore states, and possibly for
checkdisk purposes but I don't think I've seen them in the recycle bin,
ever.

You might try to dis-associate XP from zip files and that might free
accesss to this thing if that has anything to do with it being locked.
You could turn off the recycle bin for drive D:\ if it in fact IS the
recycle bin.

"Peter Huebner" <> wrote in message
news:...
> In article <4DC5b.137052$>,
> misfit@'SPAMTRAP'orcon.net.nz says...
> > "Andrew" <> wrote in message
> > news:y_A5b.1121$...
> > > You could try loading up in Safemode and then try deleting it
> >
> > Thanks Andrew, I'll add that to my list of possible fixes.
> > --
> > ~misfit~
>
>
> I was going to suggest the same thing, except from shell (boot - F8 -
> shell only)
>
> One beauty of having a dual boot system: if one of my os' goes down or
> does something stupid I can usually boot into the other and fix it from
> the outside
>
> BTW did you mistype the path to that file? d:\recycler\etc ??? looks
> fishy to me as it is.
> Also that huge alphanumerical directory after looks fishy in that place.
> i.i.r.c. XP uses those for system restore states, and possibly for
> checkdisk purposes but I don't think I've seen them in the recycle bin,
> ever.
>
> You might try to dis-associate XP from zip files and that might free
> accesss to this thing if that has anything to do with it being locked.
> You could turn off the recycle bin for drive D:\ if it in fact IS the
> recycle bin.

On all my XP machines, when I look in a drive or partition there is always a
folder called 'recycler' (I have my preferences set to show hidden and
system files) I typed the file path exactly as AVG reported it,
double-checked it too.

Anyway, I've just copied all my data off the drive to a networked machine
and the disk in question is being re-formatted as we speak. (64%) NTFS by
the way, as it was before.

Thanks for the input. Most of my other systems are dual or triple boot (XP,
98SE and Mandrake 9.1) but this machine only has a 2 GB C: drive for the OS
and the 10 GB drive for mp3 storage. As I said previously, it's only used as
a modem/firewall/ICS machine and a file server. It's an old Celeron
Mendicino 400 @ 545Mhz. XP Pro, 128Mb RAM, modem and NIC. (Oh, and an old
AGP GeForce2 MX400/64MB that was unreliable in my main machine (just
wouldn't start one morning) but hasn't missed a beat since I put it in this
one.) Bit of a waste of a graphics card for a file-server really, overkill
when a 2MB PCI card would do. Or an 8MB S3 AGP I have here. But as it proved
to be flakey in my main machine I'm loathe to sell it, I hate come-backs.
And yet it's been running perfectly in the server for 3 months.

In article <DAG5b.137273$>, misfit@'SPAMTRAP'orcon.net.nz says...
>
> On all my XP machines, when I look in a drive or partition there is always a
> folder called 'recycler' (I have my preferences set to show hidden and
> system files) I typed the file path exactly as AVG reported it,
> double-checked it too.

This is ODD, to my mind. There is no directory 'recycler' on my machine
anywhere.
Unfortunately I wiped XP from my wife's machine as she wanted 98 back so
I can't double check there.
I am going down to the village tomorrow, I may check on the server at the
Community Resource Centre, if I have the time and if I don't forget. ;-)
I am sure somebody else who reads this can pipe up and pitch in!

It could be of course that since my machine already had 'recycled'
directories that XP decided to recycle those for its own purposed when I
installed it as a second OS (rarely used, only for educational and
experimantal purposes b.t.w.)

But I smell a rat. This could be s.th. like the trojan that disguised
itself as kernel32.exe masquerading to look similar to kernel32.dll.

"Peter Huebner" <> wrote in message
news:...
> In article <DAG5b.137273$>,
> misfit@'SPAMTRAP'orcon.net.nz says...
> >
> > On all my XP machines, when I look in a drive or partition there is
always a
> > folder called 'recycler' (I have my preferences set to show hidden and
> > system files) I typed the file path exactly as AVG reported it,
> > double-checked it too.
>
> This is ODD, to my mind. There is no directory 'recycler' on my machine
> anywhere.

"~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in message
news:Giy5b.136844$...
> As I've mentioned, I have AVG free edition 6.0 on my machines at home.
While
> I've been playing with them in the last day or so I checked the test
results
> on the machine that houses my modem and shares it on my LAN. Running XP
Pro
> with the built-in firewall enabled and using ICS. No email programs run on
> this machine.
>
> The machine is set to scan every day and I've never seen it detect a
virus.
> However, in the test results it tells me that I have the Dropper.DP.A
> 'virus' in
>
D:\RECYCLER\S-1-5-21-1220945662-1935655697-1343024091-1003\DD1\NET.ZIP.\NETL
> IGHT.EXE and it's status is 'Still infected'.
>
> The D: drive on this machine is a 10GB drive that contains my mp3
collection
> and the incoming folder for Kazaa (mapped and run from another machine). I
> have 'emptied' the recycle bin, even though it was empty. Then I
re-scanned
> with AVG, using the latest definition, and it's still there, no change.
>
> I've done a web-search for Dropper.DP.A and found no results. I checked
> Grisoft's site and there are various 'Droppers' listed (but not this one?)
> and it seems that they are all trojans that can over-write or write to the
> boot sector of drives.
>
> I went to Symantec's site and they don't have this variant listed either.
> While I was there I did a remote virus scan using their tools and it came
up
> clean. However, another local scan with AVG still shows it as being on the
> machine.
>
> I tried to delete the 'Recycler' folder but Windows won't allow it as it's
a
> system file.
>
> I've scaned all my other machines on the LAN and they come up clean, using
> AVG and the same definition file.
>
> What do I do next? I've thought about copying all the data off this drive
> across the LAN to my machine and re-formatting the drive concerned. Is
this
> the best option?
>
> Thoughts please? As you can imagine, I'm a little concerned. I'm not sure
> how I got it, all I can think of is that it came through Kazaa.
>
> Thanks,
> --
> ~misfit~

I have seen this kinda thing once before, AVG picked up a piece of spyware
as a trojan (gave it a name too) in this fashion. I checked Symantec and it
didnt have it listed so did some hunting and found out that the file was
just spyware, but AVG decided it was a virus.

Stoopid thing kept reinstalling itself because AVG kept putting it in the
vault. So everytime this womans pc started up AVG sprang into life saying
she had a virus. Made her bloody paranoid LOL

"Rider" <> wrote in message
news:bj8d7f$4pj$...
>
> "~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in message
> news:Giy5b.136844$...
> > As I've mentioned, I have AVG free edition 6.0 on my machines at home.
> While
> > I've been playing with them in the last day or so I checked the test
> results
> > on the machine that houses my modem and shares it on my LAN. Running XP
> Pro
> > with the built-in firewall enabled and using ICS. No email programs run
on
> > this machine.
> >
> > The machine is set to scan every day and I've never seen it detect a
> virus.
> > However, in the test results it tells me that I have the Dropper.DP.A
> > 'virus' in
> >
>
D:\RECYCLER\S-1-5-21-1220945662-1935655697-1343024091-1003\DD1\NET.ZIP.\NETL
> > IGHT.EXE and it's status is 'Still infected'.
> >
> > The D: drive on this machine is a 10GB drive that contains my mp3
> collection
> > and the incoming folder for Kazaa (mapped and run from another machine).
I
> > have 'emptied' the recycle bin, even though it was empty. Then I
> re-scanned
> > with AVG, using the latest definition, and it's still there, no change.
> >
> > I've done a web-search for Dropper.DP.A and found no results. I checked
> > Grisoft's site and there are various 'Droppers' listed (but not this
one?)
> > and it seems that they are all trojans that can over-write or write to
the
> > boot sector of drives.
> >
> > I went to Symantec's site and they don't have this variant listed
either.
> > While I was there I did a remote virus scan using their tools and it
came
> up
> > clean. However, another local scan with AVG still shows it as being on
the
> > machine.
> >
> > I tried to delete the 'Recycler' folder but Windows won't allow it as
it's
> a
> > system file.
> >
> > I've scaned all my other machines on the LAN and they come up clean,
using
> > AVG and the same definition file.
> >
> > What do I do next? I've thought about copying all the data off this
drive
> > across the LAN to my machine and re-formatting the drive concerned. Is
> this
> > the best option?
> >
> > Thoughts please? As you can imagine, I'm a little concerned. I'm not
sure
> > how I got it, all I can think of is that it came through Kazaa.
> >
> > Thanks,
> > --
> > ~misfit~
>
>
> I have seen this kinda thing once before, AVG picked up a piece of spyware
> as a trojan (gave it a name too) in this fashion. I checked Symantec and
it
> didnt have it listed so did some hunting and found out that the file was
> just spyware, but AVG decided it was a virus.
>
> Stoopid thing kept reinstalling itself because AVG kept putting it in the
> vault. So everytime this womans pc started up AVG sprang into life saying
> she had a virus. Made her bloody paranoid LOL

Since I reformatted it seems to have gone. Just running spybot on it now
anyway.
--
~misfit~

Now that's a worry. When I open a disk drive (or partition) in 'my computer'
every one of them has a 'recycler' bin greyed out. This is with 'show all
files' including system files selected in tools-folder options-view (you get
a warning about tampering with system files) The 'recycler' bin shows up
semi-see-through, sorta what passes for greyed-out, I assume as a warning
not to touch it.

"~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in
news:wdW5b.137935$:
> Strange, this doesn't tie in with what Rider said. We need more
> people to check their machines.
>
> Anyone wanna look at their XP hidden and system files and folders
> for me please and see?

Win XP Home SP1 - No "recycler" on this box.

--
The last fight was my fault.
My wife asked "what's on the TV"?
I said "Dust"

bambam wrote:
> "~misfit~" <misfit@'SPAMTRAP'orcon.net.nz> wrote in
> news:wdW5b.137935$:
>
>
>>Strange, this doesn't tie in with what Rider said. We need more
>>people to check their machines.
>>
>>Anyone wanna look at their XP hidden and system files and folders
>>for me please and see?
>
>
> Win XP Home SP1 - No "recycler" on this box.
>

Hey misfit.

Just to confuse the issue. XP pro SP1 and all updates.

c:\ Recycled (with stuff I deleted earlier tonite. A few photos).

j:\ Recycler with 6 directories named S-1-5-21-xxxxxxx-xxxxxxx-xxxxxx-1000
and so on with different numers/letters etc. Also has WINNT\inf (greyed
out). I just had a look at the directories and all apart from winnt
contain the same 70 odd photos I deleted.

And to make it even more confusing the old recyle bin is on the desktop.

In article <>, says...
>
> Well I did get down to the Resource Centre today ... their server has no
> 'recycler' directory/ies listed either (and yes, I have 'show hidden and
> system files' enabled down there).

In article <>, *@*.*
says...
> In article <>,
> says...
> >
> > Well I did get down to the Resource Centre today ... their server has no
> > 'recycler' directory/ies listed either (and yes, I have 'show hidden and
> > system files' enabled down there).
>
> And what version of Windows is that?
>

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!